State Data Privacy Laws

A comprehensive guide to data privacy legislation across the United States

Understanding US State Data Privacy Laws

Data privacy legislation is rapidly evolving across the United States. While there is no comprehensive federal privacy law, many states have enacted their own legislation to protect consumer data rights. This page provides links to official state privacy laws and regulations.

20+

States with Privacy Laws

20+

States Considering Legislation

100M+

Americans Protected

Common Consumer Rights Across State Privacy Laws

Most state privacy laws grant consumers similar fundamental rights:

👁️

Right to Know

What data is collected and how it's used

🗑️

Right to Delete

Request deletion of personal data

✋

Right to Opt-Out

Stop sale or sharing of data

✏️

Right to Correct

Fix inaccurate personal information

📦

Right to Portability

Receive data in usable format

🚫

Non-Discrimination

No retaliation for exercising rights

How the Major State Privacy Laws Compare

Side-by-side on what each law actually requires. Washington's MHMDA is the outlier: the only health-specific law, the only one demanding a separate health-data policy, and the only one a consumer can personally sue under.

Living comparison, expanded as new laws take effect. Last updated: May 31, 2026. Engineering pre-screen, not legal advice.

Dimension	WA MHMDA	CA CCPA/CPRA	CO CPA	VA VCDPA	CT CTDPA
Health-specific law?	Yes (consumer health data)	No (general; health is "sensitive")	No	No	No
Requires a separate health policy?	Yes (distinct link)	No	No	No	No
Requires the state name as a keyword?	No	No	No	No	No
What it tests instead	Substantive disclosures + consent + authorization	Notice + rights + opt-out of sale/share	Notice + rights + opt-out	Notice + rights + opt-in for sensitive	Notice + rights + opt-in for sensitive
Cookies / tracking hook	Tracking that collects health data needs consent; sale needs authorization	Opt-out of sale/share for cross-context behavioral ads; honor GPC	Opt-out of targeted advertising; honor universal opt-out	Opt-out of targeted advertising	Opt-out of targeted advertising; honor GPC
Sensitive / health processing	Core subject	Opt-out / limit use	Opt-in consent	Opt-in consent	Opt-in consent
Private lawsuits?	Yes (via WA Consumer Protection Act)	Limited (data-breach only)	No (AG only)	No (AG only)	No (AG only)

Substance over keyword. None of these laws require the state's name to appear as a magic word. Compliance is doing the right things (disclosures, consent, authorization, opt-out, honoring Global Privacy Control), not printing a place name. This is an engineering pre-screen, not legal advice; verify with counsel.

Built to expand. As new state privacy laws take effect (Texas, Oregon, Montana, and additional health-data statutes on the 2025 to 2027 calendar), we add columns and re-baseline. The framework is law-agnostic: each law contributes a weighted set of testable elements.

State-by-State Data Privacy Laws Guide

Click on any state to view official legislation and resources

Last updated: May 13, 2026

✅ States with Enacted Privacy Laws

California

Enacted

California Consumer Privacy Act (CCPA)

Effective: January 1, 2020

Comprehensive privacy law granting rights to access, delete, and opt-out of data sales.

View Official CCPA Page →

California Privacy Rights Act (CPRA)

Effective: January 1, 2023

Expanded CCPA with additional rights and enforcement by the California Privacy Protection Agency.

View CPPA Website →

Virginia

Enacted

Virginia Consumer Data Protection Act (VCDPA)

Effective: January 1, 2023

Provides rights to access, correct, delete, and opt-out of targeted advertising and data sales.

View Virginia Code §59.1-571 et seq. →

Colorado

Enacted

Colorado Privacy Act (CPA)

Effective: July 1, 2023

Grants consumers rights to access, correct, delete, and opt-out of data processing.

View Colorado AG Resources →

Connecticut

Enacted

Connecticut Data Privacy Act (CTDPA)

Effective: July 1, 2023

Provides consumer rights to access, correct, delete, and opt-out of data processing.

View Connecticut AG Page →

Utah

Enacted

Utah Consumer Privacy Act (UCPA)

Effective: December 31, 2023

Grants rights to access, delete, and opt-out of data sales and targeted advertising.

View Utah SB 227 →

Washington

Enacted Health Data

My Health My Data Act (MHMDA)

Effective: March 31, 2024

One of the nation's strictest health privacy laws, impacting any entity collecting consumer health data in WA.

Expert Insight: I specialize in the "Right to Deletion" workflows required by MHMDA, ensuring that revokes of consent are technically enforced across distributed cloud environments (AWS/Azure).

View RCW 19.373 → Washington MHMDA Engineering Protocols →

Biometric Identifiers Law

Effective: July 23, 2017

Requires notice and consent for collection of biometric identifiers for commercial purposes.

View RCW 19.375 →

Data Breach Notification Law

Effective: July 24, 2015

Requires notification to residents and Attorney General after data breaches.

View RCW 19.255 →

Montana

Enacted

Montana Consumer Data Privacy Act (MCDPA)

Effective: October 1, 2024

Provides consumer rights to access, correct, delete, and opt-out of data processing.

View Montana MCDPA (MCA 30-14-28) →

Oregon

Enacted

Oregon Consumer Privacy Act (OCPA)

Effective: July 1, 2024

Grants rights to access, correct, delete, and opt-out of data sales and targeted advertising. 2025 amendment: Prohibits sale of personal data for consumers under 16 and precise geolocation within 1,750 feet.

View Oregon SB 619 →

Texas

Enacted

Texas Data Privacy and Security Act (TDPSA)

Effective: July 1, 2024

Provides consumer rights to access, correct, delete, and opt-out of targeted advertising.

View Texas HB 4 →

Delaware

Enacted

Delaware Personal Data Privacy Act (DPDPA)

Effective: January 1, 2025

Grants consumer rights to access, correct, delete, and opt-out of data processing.

View Delaware HB 154 →

Iowa

Enacted

Iowa Consumer Data Protection Act

Effective: January 1, 2025

Provides rights to access, delete, and opt-out of targeted advertising and data sales.

View Iowa SF 262 →

Indiana

Enacted

Indiana Consumer Data Protection Act

Effective: January 1, 2026

Grants consumer rights to access, correct, delete, and opt-out of data processing.

View Indiana SB 5 →

Kentucky

Enacted

Kentucky Consumer Data Protection Act (KCDPA)

Effective: January 1, 2026

Grants consumer rights to access, correct, delete, and opt-out of targeted advertising and data sales. Applies to controllers processing 100,000+ Kentucky consumers or 25,000+ when deriving 50%+ revenue from data sales.

View Kentucky HB 15 →

Rhode Island

Enacted

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

Effective: January 1, 2026

Grants consumer rights to access, correct, delete, and opt-out of data processing. Notably low thresholds: 35,000 consumers, or 10,000 if 20%+ revenue from data sales.

View Rhode Island HB 7787 →

Tennessee

Enacted

Tennessee Information Protection Act (TIPA)

Effective: July 1, 2025

Provides consumer rights to access, correct, delete, and opt-out of data processing.

View Tennessee HB 1181 →

Nevada

Enacted

Nevada Privacy Law (SB 220)

Effective: October 1, 2019

Allows consumers to opt-out of the sale of their personal information.

View Nevada SB 220 →

Florida

Enacted

Florida Digital Bill of Rights (FDBR)

Effective: July 1, 2024

Comprehensive privacy law granting rights to access, correct, delete, and opt-out of data sales and targeted advertising.

View Florida Statutes Ch. 501 §701 →

New Jersey

Enacted

New Jersey Data Privacy Act (NJDPA)

Effective: January 15, 2025

Grants consumer rights to access, correct, delete, port data, and opt-out of sales, targeted advertising, and profiling; requires consent for sensitive data.

View New Jersey S332 →

New Hampshire

Enacted

New Hampshire Privacy Act (RSA 507-H)

Effective: January 1, 2025

Grants consumer rights to access, correct, delete, port, and opt-out of sales, targeted advertising, and profiling.

View New Hampshire RSA 507-H →

Maryland

Enacted

Maryland Online Data Privacy Act (MODPA)

Effective: October 1, 2025

One of the strictest state laws: hard data-minimization limits, a near-ban on selling sensitive data, and heightened protections for minors, alongside standard access, correction, deletion, and opt-out rights.

View Maryland SB 541 →

Minnesota

Enacted

Minnesota Consumer Data Privacy Act (MCDPA)

Effective: July 31, 2025

Grants access, correction, deletion, portability, and opt-out rights, plus a distinctive right to question the result of profiling and review the data used.

View Minnesota HF 4757 →

Nebraska

Enacted

Nebraska Data Privacy Act (NDPA)

Effective: January 1, 2025

Texas-style law with no revenue threshold: applies to most businesses that are not small businesses, with rights to access, correct, delete, and opt-out.

View Nebraska LB 1074 (Neb. Rev. Stat. 87-1101) →

⏳ States with Pending or Proposed Legislation

Oklahoma

Effective Jan 1, 2027

Oklahoma Consumer Data Privacy Act (OCDPA)

Status: Enacted; not yet effective

Comprehensive consumer privacy law granting access, correction, deletion, and opt-out rights. Effective date pending final confirmation.

View IAPP State Privacy Tracker →

Alabama

Effective May 1, 2027

Alabama Personal Data Protection Act (APDPA)

Status: Enacted; not yet effective

Comprehensive consumer privacy law granting access, correction, deletion, and opt-out rights. Effective date pending final confirmation.

View IAPP State Privacy Tracker →

Washington (Additional)

Proposed

People's Privacy Act

Status: Proposed 2025

Comprehensive privacy bill with strong consumer rights, data minimization, and private right of action.

View Washington Legislature →

New York

Pending

New York Privacy Act

Status: Under Consideration

Proposed comprehensive privacy law with strong consumer rights and data fiduciary duties.

View NY Senate Bill →

Massachusetts

Pending

Massachusetts Data Privacy Act

Status: Under Consideration

Proposed legislation providing comprehensive consumer data rights.

View MA Legislature →

Illinois

Enacted (Biometric)

Biometric Information Privacy Act (BIPA)

Effective: October 3, 2008

One of the strongest biometric privacy laws in the US, with private right of action.

View Illinois BIPA →

📋 Other Notable State Privacy Protections

Many states have sector-specific privacy laws or data breach notification requirements:

All 50 States + DC

Have data breach notification laws requiring companies to notify residents of security breaches.

Arkansas, Texas, Washington

Have biometric data privacy laws requiring consent for collection.

Maine

Internet Service Provider privacy law requiring opt-in for sensitive data.

Vermont

Data broker registration law requiring registration and security standards.

Federal Privacy Resources

While there's no comprehensive federal privacy law, these agencies provide guidance:

Federal Trade Commission (FTC)

Enforces consumer protection laws and provides privacy guidance

Visit FTC Privacy →

Health & Human Services (HHS)

Enforces HIPAA privacy and security rules for health information

Visit HHS HIPAA →

Consumer Financial Protection Bureau (CFPB)

Protects consumer financial data and privacy

Visit CFPB →

How Your Data Health Ensures Compliance

Your Data Health monitors and complies with all applicable state privacy laws where our members reside:

✅

Multi-State Compliance

Our platform is designed to comply with the strictest state privacy laws, ensuring protection for all members.

🔄

Continuous Monitoring

Your Data Health tracks new legislation and updates its practices to stay compliant with emerging state laws.

🛡️

Your Rights Protected

Your Data Health honors all consumer rights including access, deletion, correction, and opt-out across all states.

📜

Transparent Policies

Clear privacy notices and consent mechanisms that meet or exceed state requirements.

Questions About Your State's Privacy Laws?

Contact me to learn how your data is protected under your state's legislation.

Book a Call

Ready to Take Control?

Enterprise compliance auditing for FHIR, MHMDA, and state privacy standards.

Book a Call